Recently active topics

Our current license is at 5 TB quota, and we ingest only 337 GBs/day. In the learning material of Cribl University, I saw a reference to a free license of up to 1 TB without distributed administration to the workers, is it possible for us to move from our current 5 TBs license to a free one?

This guide walks you through pointing Claude Cowork’s OpenTelemetry (OTel) export to a Cribl Stream OTel Source in Cribl Cloud so you can monitor Cowork activity alongside your other telemetry. For full Cowork monitoring details, see Monitor Claude Cowork activity with OpenTelemetry and the Claude Cowork monitoring setup docs.Configure the Cribl OTel sourceIn Cribl Stream (Cribl Cloud): Create or open an OpenTelemetry source. Set: OTLP Version: 1.3.1 Protocol: HTTP Port: {PORT} (port 4318 is currently unavailable on Stream in Cribl Cloud; use a port in the 20000–20010 range) Turn on Extract logs and Extract metrics when you want OTLP batches split into per-event records for use in Stream pipelines. Enable TLS. Set Authorization > Auth Token to {TOKEN} (this will become the bearer token Claude Cowork uses). Note the port and token; you’ll plug these into Claude CoWork next. For more detail on source settings and ports, see the OpenTelemetry (OTel) Sourc

This message originated from Cribl Community Slack.Click here to view the original link.Hi guys, I have workers running on-premises and data is being sent successfully from the source to the destination. I also have some workers running in AWS. These workers are able to receive data, but for some reason the Dynatrace destination keeps returning 401 Unauthorized, so the data is not being delivered to Dynatrace. I confirmed the following: If I SSH to any AWS worker, I can successfully send data to Dynatrace using curl with the same endpoint and auth token. Firewall connectivity is open. outputs.yml is synced correctly from the Leader to the AWS workers. The AWS workers are using a specific RHEL 8 image. I tried the suggested checks related to fapolicyd and SELinux, and I also tested with SELinux disabled, but the issue still persists. As soon as I configure the destination and route data to it, the destination fails with a 401 error. Has anyone faced a similar issue before, or

This message originated from Cribl Community Slack.Click here to view the original link.Has anyone set up HAProxy or some sort of load balancer up for their on prem stream worker nodes? Would appreciate any tips or lessons learned people may have.

This message originated from Cribl Community Slack.Click here to view the original link.Hi all, I'm looking to add multiple teams to the cribl console that I manage. I won't be needing multiple workspace, so I consider using Projects in Stream . The setup is pretty simple, every team can read every projets but editor only of their own. My question is, is there any recommendations or tips to switch from using routes to subscriptions? Should I put all my routes to one sub, then let the teams filter with pipelines? Or make 1 sub per route already there? The goal is to make them autonomous without admin access

This message originated from Cribl Community Slack.Click here to view the original link.Hi all we are having this issue on the monitoring sectionLinks for this message:image.png

This message originated from Cribl Community Slack.Click here to view the original link.Hi everyone, is this billing endpoint no longer supported? I'm getting a 404 response: https://github.com/criblio/collector-templates/tree/main/collectors/rest/cribl_billing_credits Also, was the default rule set CriblAPI removed at some point? I'm trying to ingest system/metrics but the default Cribl ruleset is not helping. I've built a custom ruleset with JSON Array and array field pointing to 'results.metrics' which then parses the event correctly, but I'd like to know if there is a better way. Thanks!

This message originated from Cribl Community Slack.Click here to view the original link.Is they any way to capture a full Splunk HEC payload coming into the Splunk HEC source before it breaks out the event into _raw? I have a source sending into /services/collector/event so I know event in the JSON is what gets stored as _raw. I would like to see the rest of the JSON outside of the event field when the data is sent. It is a cloud based source so I cannot check on that end. Is this possible?

This message originated from Cribl Community Slack.Click here to view the original link.Any general recommendations on using C.Lookup in an EVAL, versus using the Lookup function? I've always just used the C.Lookup in the eval, but I'm curious if / what are the benefits of using one over the other

This message originated from Cribl Community Slack.Click here to view the original link.Is there a restriction on what ports I can use for incoming syslog traffic in Stream? I created a new one today on port 9516 and it will not come up. I deleted it, cloned a working config changing just the port to 9516, and again it did not work. I thought perhaps there was a restriction to stop me from using it, but the UI doesn't indicate any problem.

This message originated from Cribl Community Slack.Click here to view the original link.Hello all, I'm trying to configure File monitor on a fleet of Ubuntu host. The error I'm getting s EACCES: permission denied, watch '/var/log/whatever.log' Would the fix just be granting the Cribl user permissions over that folder? Since I don't have access to those folders, I want to see if someone has a known solution to this, can't test it out since I don't have access to the host and want to minimize effort for the team managing those host.

This message originated from Cribl Community Slack.Click here to view the original link.I am considering how to tune noise out of a stream of data in a route. I started with: source == 'pan' && _raw.includes('THREAT,vulnerability') && !(_raw.includes('SMB: User Password Brute Force Attempt(40004)') && raw.includes('adm<user>')) However, I can forsee this getting to be pretty long and granular. There must be a better way to architect this. Any suggestions?

This message originated from Cribl Community Slack.Click here to view the original link.i have some data that is getting processed in stream and I want to send it to search LHE. Will search take the timestamp that has already been created for the event within the pipeline, or do I need to create an additional timestamp config via datatypes?

This message originated from Cribl Community Slack.Click here to view the original link.Hi! Do you know if there is any type of performance advantage on using quickconnect instead of routes besides the fact of avoiding filter testing for each route? In my mental model, a quickconnect entry is a route that takes the input id as filter, but i wonder if there is a non-negligible difference in terms of performance.

This message originated from Cribl Community Slack.Click here to view the original link.I'm starting to toy and mess around with Cribl Edge as a possible replacement for our Splunk UFs. I know it natively has the Windows Event Log collection. Is there a way to filter down specific EventCodes or even specific occurrences of EventCodes right within the Edge endpoint? Reading through this I'm not seeing it super clear as to how to do that: https://docs.cribl.io/edge/sources-windows-event-logs/. The other thing I'm exploring is if anyone has gone down the path of monitoring Windows Registry changes using Cribl Edge? I'm assuming we can do this utilizing the Exec source in some way, but didn't know if someone has already gone through this exercise and might have some insights. Just trying to find a scalable solution to what is provided by the Splunk UF WinRegMon capability.

This is a practical walkthrough for choosing rollup functions like MAX, LAST, and AVG when you aggregate gauges from short sample intervals (for example, 2 seconds) into longer windows (for example, 30 seconds) with our Rollup Metrics Function.We’ll use Cribl Internal Metrics as examples, but the reasoning applies to any gauges in your environment. 1. Start with the question, not the function 2. Classify the gauge: three useful buckets A. Ordinal health gauges B. Binary / boolean gauges C. Continuous gauges 3. Choosing rollups for each gauge type A. Ordinal health gauges – “what state did we reach?” B. Binary / boolean gauges – “ever true” vs “currently true” C. Continuous gauges – “now, typical, or worst?” FINALE! Putting it all together with a checklist.1. Start with the question, not the functionBefore you touch any rollup settings, ask: what question am I trying to answer with this gauge?“Did this ever reach an interesting state in this window?” Examples: “Did anything go red

Testing environments are great 🥳 As a Customer Success Engineer I’m always trying to help our customers with advice. One recommendation I’ve found myself making a lot recently relates to testing.In this article I’m going to briefly cover a few reasons why a test environment is useful and then discuss a few tips to get started. A good testing system will give you more freedom to experiment, greater technical assurance and allow you to do more cool things with Cribl! Why is building a test system valuable?Test environments take some effort to create, so I want to highlight the main benefits. This is not an exhaustive list but the first things I’d consider to set as goals.Regression testingWhenever you make a change to a system whether that’s a version update, a major pipeline overhaul or a protocol switch, it’s always valuable to assess if existing functionality remains unchanged. Having a test system enables these tests. Integration testingSometimes you may have a new integration into

Stream - Real-time analytics for AI conversations. Tracks costs across 16+ models, grades response quality (A-D), detects sentiment and intent, and provides optimization recommendations - all in-stream. View Pack

This one is all about control, precision, and making things just work better.Platform• IP Allowlist for API Credentials: Lock API keys to trusted networks.• Terraform Config Exporter: Turn live configs into Terraform. No more rebuilding by hand. Capture it once, reuse it everywhere.Stream• Cribl Guard Detection Improvements: Better signal, less noise. More accurate sensitive data detection without the alert fatigue.Search• Field Transformation on Ingest (Lakehouse Engine): Shape your data on the way in so you’re not wrangling it later.• Clear Datasets: Reset datasets without deleting them. Cleaner workflows, faster iteration.• New 2XS and 3XS Tiers: Smaller entry points for federated and lakehouse engines. Test, validate, and scale without overcommitting.These are just the highlights. Check out the full release notes for Stream, Edge, Search, and Lake.Cribl.Cloud customers are already upgraded—just click Deploy.On-prem customers can download the update now.

This message originated from Cribl Community Slack.Click here to view the original link.Hello Team, have a weird issue with a token in a dashboard in Cribl Search. I have a dropdown input that is populated by a search, which is working fine, however it has a value being returned that is Software/Technology I am trying to use the value to filter results in a table in one of the visualizations however I am getting an error because of the / character in the value. The error is Search failed: mismatched input '/' expecting {<EOF>, ';'}; token: /; line: 1 column: 119 is there any way to sanitize the token so that it can just search on the text?

This message originated from Cribl Community Slack.Click here to view the original link.I am considering scheduling a search to return if any IOCs are found from various sources I get e.g. CISA, MSISAC, EDR company, etc. I have a basic lookup: ip,source_desc 5.252.179.169,waterisac 5.252.179.89,waterisac I tried what I thought would work in search and then went to AI to refine it because it was returning my internal IPs not the IPs in the lookup:Links for this message:image.png

This message originated from Cribl Community Slack.Click here to view the original link.Does anyone know if Cribl Edge can handle xpath filtering on the windows log ingestion side? IE I can feed it the xpath that I want for logs and it honors that

This message originated from Cribl Community Slack.Click here to view the original link.If I apply a TLS cert to our workers' distributed TLS settings through the UI (or via console, in instance.yml), one by one, and then apply the cert to the leader, control plane communication will be down for each worker until I finish with the leader. Will other communication (data plane, in particular) be broken during that time, as well? I'd like to know if I should plan for data loss during that period.

This message originated from Cribl Community Slack.Click here to view the original link.Hi, I am using Google pub/sub source in Cribl stream with Manual Authentication(with Service account creds in Json format) I am getting Permission denied error but the same creds are working when tested with python code from my local. Below is the sample screenshot what values(not the actual values though) I have provided for my source I have tried couple of other ways to troubleshoot but getting same error. Verified that the Service account and subscription are from same project and have the required access Below are the errors that I am seeing message: Error listing subscription permissions err: message: 7 PERMISSION_DENIED: User not authorized to perform this action. I do have a question that Is there a requirement on GCP side that we should allow list Worker group IP? (Not mentioned in the docs) I have referred this doc here: Google Cloud Pub/Sub Source | Cribl DocsLinks for this message

This message originated from Cribl Community Slack.Click here to view the original link.Hi all - I have a QQ on Azure Blob Collectors. We have databricks pushing logs into a databricks development container and files for \audit, and \query. Ive tried adhoc pull but with no success. This is set up exactly like our prod Stream -> container. Im getting the "This request is not authorized to perform this operation using this permission. Are the permissions different for when we need to pull logs in from that container rather than push into it?